Fixes a buffer overflow triggered when more than three "--readfd"
arguments were given on the command line.
Signed-off-by: Tim Wiederhake <twiederh@xxxxxxxxxx>
---
tests/commandhelper.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/tests/commandhelper.c b/tests/commandhelper.c
index 8a9a3c96a0..ac64505461 100644
--- a/tests/commandhelper.c
+++ b/tests/commandhelper.c
@@ -204,13 +204,23 @@ static int printCwd(FILE *log)
static int printInput(struct Arguments *args)
{
char buf[1024];
- struct pollfd fds[3];
- char *buffers[3] = {NULL, NULL, NULL};
- size_t buflen[3] = {0, 0, 0};
+ struct pollfd *fds = NULL;
+ char **buffers = NULL;
+ size_t *buflen = NULL;
int ret = -1;
size_t i;
ssize_t got;
+ if (!(fds = calloc(args->numreadfds, sizeof(*fds))))
+ goto cleanup;
+
+ /* plus one NULL terminator */
+ if (!(buffers = calloc(args->numreadfds + 1, sizeof(*buffers))))
+ goto cleanup;
+
+ if (!(buflen = calloc(args->numreadfds, sizeof(*buflen))))
+ goto cleanup;
+
if (args->close_stdin) {
if (freopen("/dev/null", "r", stdin) != stdin)
goto cleanup;
@@ -292,8 +302,15 @@ static int printInput(struct Arguments *args)
ret = 0;
cleanup:
- for (i = 0; i < G_N_ELEMENTS(buffers); i++)
- free(buffers[i]);
+ if (buffers) {
+ char **ptr;
+ for (ptr = buffers; *ptr; ptr++)
+ free(*ptr);
+ }
+ free(fds);
+ free(buflen);
+ free(buffers);
+
return ret;
}
--
2.26.2
